Active Directory and VPN tunnels

Toggle sidebar Toggle sidebar
D

Darksamie

Senior member
Mar 23, 2000
220
0
0

I have a query about Active directory and what you can and cannot do -

I have a VPN set up between a few of my offices and wanted to add another branch office in to the mix. From what I understand of AD, I would need to create tunnels from this office to every other office which has an AD server of the same domain.

Is there any way around this?

The reason why I ask is that the firewall we have in this smaller office can only handle one VPN connection and hence cannot have a tunnel to the other offices (therefore no ability to replicate the AD).

Anyone knowledgeable on this?
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
You could always use a dedicated line between offices. Putting one of the AD boxes directly on the Internet infront of the firewalls would also probably work, but it would be really, really stupid.
 
D

Darksamie

Senior member
Mar 23, 2000
220
0
0

A dedicated line between offices would not help in this scenario. I would need dedicated line(s) due to the fact that it is a many to many connection.

ie. In the case of 4 offices, there would need to be 3 lines from each office to each office.
 

KB

Diamond Member
Nov 8, 1999
5,401
386
126
Originally posted by: Darksamie

I have a query about Active directory and what you can and cannot do -

I have a VPN set up between a few of my offices and wanted to add another branch office in to the mix. From what I understand of AD, I would need to create tunnels from this office to every other office which has an AD server of the same domain.

Is there any way around this?
/q]

Nope. There are two AD replication protocols. They are discussed here: http://www.microsoft.com/technet/prodte...edirectory/deploy/projplan/adarch.mspx

Replication Protocols

Directory information can be exchanged using the following network protocols:
?

IP replication. IP replication uses remote procedure calls (RPC) for replication within a site (intra-site) and over site links (inter-site). By default, inter-site IP replication adheres to replication schedules. IP replication does not require a certification authority (CA).
?

SMTP replication. If you have a site that has no physical connection to the rest of you network but that can be reached via Simple Mail Transfer protocol (SMTP), that site has mail-based connectivity only. SMTP replication is used only for replication between sites. You cannot use SMTP replication to replicate between domain controllers in the same domain?only inter-domain replication is supported over SMTP (that is, SMTP can be used only for inter-site, inter-domain replication). SMTP replication can be used only for schema, configuration, and global catalog partial replica replication. SMTP replication observes the automatically generated replication schedule.

If you choose to use SMTP over site links, you must install and configure an enterprise certification authority (CA). The domain controllers obtain certificates from the CA, which the domain controllers then use to sign and encrypt the mail messages that contain directory replication information, ensuring the authenticity of directory updates. SMTP replication uses 56-bit encryption.



You could use SMTP synchronization over the internet but it is complicated and it can't be used to synchronize domain controllers in the same domain.
Click to expand...
 
B

Booty

Senior member
Aug 4, 2000
977
0
0
What kind of firewall(s) do you have? I wouldn't think you'd have to spend a ton of a money to upgrade them... then again, I'm no expert.
 
S

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Why connect every office to every other office (a full mesh)? You could always do a hub or ring topology and that would greatly simplify administration.

See KB's post; you've got a couple of options for AD replication. I suggest that regardless of what you choose that the replication between DCs occurs through a secure chanel (dedicated lines or a VPN).
 
D

Darksamie

Senior member
Mar 23, 2000
220
0
0

You are correct - the replication has to accur across an encrypted channel, however I think meshing will be the only way possible.

Looks like I will have to upgrade the firewall there.

In answer to a previous post - I am using Watchguard Firebox 700's in 3 locations, and a Firebox SOHO in the problem one.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom
sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |